Analysis
-
max time kernel
114s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 01:52
Static task
static1
Behavioral task
behavioral1
Sample
4bceefbe345b452abeb46ece84d2ed50_NeikiAnalytics.dll
Resource
win7-20240508-en
General
-
Target
4bceefbe345b452abeb46ece84d2ed50_NeikiAnalytics.dll
-
Size
120KB
-
MD5
4bceefbe345b452abeb46ece84d2ed50
-
SHA1
c77be676463a84a7350f0a43f3117e79562efa16
-
SHA256
93fe6d0e6779b13610e5106a44faa5f7089232d5ef85926bf9a0eb8a6e774a5d
-
SHA512
d0f877869d769d866750b6b05165c7c63b5043b0830591c634a4b9577edd323d10bd24a23766d80884dfa7b490721d59240b929b7d54d726dab53afb57e9f392
-
SSDEEP
1536:LKlY9zzPhfAkgf1nF8BleBXWX8TtKjf1ZIh8O8uOyVh8Y2Cdv4TVEKLx3yScvxv/:mizPGnF8BuEk3Y/CdyFncvRu3
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
e574d55.exee578b0a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e574d55.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e574d55.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578b0a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578b0a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578b0a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e574d55.exe -
Processes:
e574d55.exee578b0a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574d55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578b0a.exe -
Processes:
e578b0a.exee574d55.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578b0a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574d55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574d55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578b0a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574d55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578b0a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578b0a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578b0a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578b0a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574d55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574d55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574d55.exe -
Executes dropped EXE 3 IoCs
Processes:
e574d55.exee574f1a.exee578b0a.exepid process 2008 e574d55.exe 4588 e574f1a.exe 5004 e578b0a.exe -
Processes:
resource yara_rule behavioral2/memory/2008-8-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2008-9-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2008-10-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2008-25-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2008-31-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2008-11-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2008-12-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2008-6-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2008-33-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2008-32-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2008-34-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2008-35-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2008-36-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2008-37-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2008-43-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2008-42-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2008-45-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2008-46-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2008-55-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2008-61-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2008-62-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2008-64-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/2008-67-0x00000000007D0000-0x000000000188A000-memory.dmp upx behavioral2/memory/5004-93-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/5004-94-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/5004-92-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/5004-103-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/5004-90-0x00000000008A0000-0x000000000195A000-memory.dmp upx behavioral2/memory/5004-141-0x00000000008A0000-0x000000000195A000-memory.dmp upx -
Processes:
e574d55.exee578b0a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574d55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574d55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578b0a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578b0a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578b0a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574d55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574d55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574d55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578b0a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578b0a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574d55.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e574d55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578b0a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578b0a.exe -
Processes:
e574d55.exee578b0a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574d55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578b0a.exe -
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e574d55.exee578b0a.exedescription ioc process File opened (read-only) \??\H: e574d55.exe File opened (read-only) \??\I: e574d55.exe File opened (read-only) \??\J: e574d55.exe File opened (read-only) \??\E: e578b0a.exe File opened (read-only) \??\G: e574d55.exe File opened (read-only) \??\K: e574d55.exe File opened (read-only) \??\G: e578b0a.exe File opened (read-only) \??\H: e578b0a.exe File opened (read-only) \??\E: e574d55.exe -
Drops file in Windows directory 3 IoCs
Processes:
e574d55.exee578b0a.exedescription ioc process File created C:\Windows\e574da3 e574d55.exe File opened for modification C:\Windows\SYSTEM.INI e574d55.exe File created C:\Windows\e57b268 e578b0a.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e574d55.exee578b0a.exepid process 2008 e574d55.exe 2008 e574d55.exe 2008 e574d55.exe 2008 e574d55.exe 5004 e578b0a.exe 5004 e578b0a.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e574d55.exedescription pid process Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe Token: SeDebugPrivilege 2008 e574d55.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee574d55.exee578b0a.exedescription pid process target process PID 4396 wrote to memory of 1792 4396 rundll32.exe rundll32.exe PID 4396 wrote to memory of 1792 4396 rundll32.exe rundll32.exe PID 4396 wrote to memory of 1792 4396 rundll32.exe rundll32.exe PID 1792 wrote to memory of 2008 1792 rundll32.exe e574d55.exe PID 1792 wrote to memory of 2008 1792 rundll32.exe e574d55.exe PID 1792 wrote to memory of 2008 1792 rundll32.exe e574d55.exe PID 2008 wrote to memory of 784 2008 e574d55.exe fontdrvhost.exe PID 2008 wrote to memory of 788 2008 e574d55.exe fontdrvhost.exe PID 2008 wrote to memory of 336 2008 e574d55.exe dwm.exe PID 2008 wrote to memory of 2648 2008 e574d55.exe sihost.exe PID 2008 wrote to memory of 2848 2008 e574d55.exe svchost.exe PID 2008 wrote to memory of 2796 2008 e574d55.exe taskhostw.exe PID 2008 wrote to memory of 3452 2008 e574d55.exe Explorer.EXE PID 2008 wrote to memory of 3552 2008 e574d55.exe svchost.exe PID 2008 wrote to memory of 3748 2008 e574d55.exe DllHost.exe PID 2008 wrote to memory of 3844 2008 e574d55.exe StartMenuExperienceHost.exe PID 2008 wrote to memory of 3904 2008 e574d55.exe RuntimeBroker.exe PID 2008 wrote to memory of 3996 2008 e574d55.exe SearchApp.exe PID 2008 wrote to memory of 3512 2008 e574d55.exe RuntimeBroker.exe PID 2008 wrote to memory of 2272 2008 e574d55.exe RuntimeBroker.exe PID 2008 wrote to memory of 3956 2008 e574d55.exe TextInputHost.exe PID 2008 wrote to memory of 4396 2008 e574d55.exe rundll32.exe PID 2008 wrote to memory of 1792 2008 e574d55.exe rundll32.exe PID 2008 wrote to memory of 1792 2008 e574d55.exe rundll32.exe PID 1792 wrote to memory of 4588 1792 rundll32.exe e574f1a.exe PID 1792 wrote to memory of 4588 1792 rundll32.exe e574f1a.exe PID 1792 wrote to memory of 4588 1792 rundll32.exe e574f1a.exe PID 2008 wrote to memory of 784 2008 e574d55.exe fontdrvhost.exe PID 2008 wrote to memory of 788 2008 e574d55.exe fontdrvhost.exe PID 2008 wrote to memory of 336 2008 e574d55.exe dwm.exe PID 2008 wrote to memory of 2648 2008 e574d55.exe sihost.exe PID 2008 wrote to memory of 2848 2008 e574d55.exe svchost.exe PID 2008 wrote to memory of 2796 2008 e574d55.exe taskhostw.exe PID 2008 wrote to memory of 3452 2008 e574d55.exe Explorer.EXE PID 2008 wrote to memory of 3552 2008 e574d55.exe svchost.exe PID 2008 wrote to memory of 3748 2008 e574d55.exe DllHost.exe PID 2008 wrote to memory of 3844 2008 e574d55.exe StartMenuExperienceHost.exe PID 2008 wrote to memory of 3904 2008 e574d55.exe RuntimeBroker.exe PID 2008 wrote to memory of 3996 2008 e574d55.exe SearchApp.exe PID 2008 wrote to memory of 3512 2008 e574d55.exe RuntimeBroker.exe PID 2008 wrote to memory of 2272 2008 e574d55.exe RuntimeBroker.exe PID 2008 wrote to memory of 3956 2008 e574d55.exe TextInputHost.exe PID 2008 wrote to memory of 4396 2008 e574d55.exe rundll32.exe PID 2008 wrote to memory of 4588 2008 e574d55.exe e574f1a.exe PID 2008 wrote to memory of 4588 2008 e574d55.exe e574f1a.exe PID 2008 wrote to memory of 216 2008 e574d55.exe backgroundTaskHost.exe PID 2008 wrote to memory of 4824 2008 e574d55.exe backgroundTaskHost.exe PID 1792 wrote to memory of 5004 1792 rundll32.exe e578b0a.exe PID 1792 wrote to memory of 5004 1792 rundll32.exe e578b0a.exe PID 1792 wrote to memory of 5004 1792 rundll32.exe e578b0a.exe PID 5004 wrote to memory of 784 5004 e578b0a.exe fontdrvhost.exe PID 5004 wrote to memory of 788 5004 e578b0a.exe fontdrvhost.exe PID 5004 wrote to memory of 336 5004 e578b0a.exe dwm.exe PID 5004 wrote to memory of 2648 5004 e578b0a.exe sihost.exe PID 5004 wrote to memory of 2848 5004 e578b0a.exe svchost.exe PID 5004 wrote to memory of 2796 5004 e578b0a.exe taskhostw.exe PID 5004 wrote to memory of 3452 5004 e578b0a.exe Explorer.EXE PID 5004 wrote to memory of 3552 5004 e578b0a.exe svchost.exe PID 5004 wrote to memory of 3748 5004 e578b0a.exe DllHost.exe PID 5004 wrote to memory of 3844 5004 e578b0a.exe StartMenuExperienceHost.exe PID 5004 wrote to memory of 3904 5004 e578b0a.exe RuntimeBroker.exe PID 5004 wrote to memory of 3996 5004 e578b0a.exe SearchApp.exe PID 5004 wrote to memory of 3512 5004 e578b0a.exe RuntimeBroker.exe PID 5004 wrote to memory of 2272 5004 e578b0a.exe RuntimeBroker.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e574d55.exee578b0a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574d55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578b0a.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4bceefbe345b452abeb46ece84d2ed50_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4bceefbe345b452abeb46ece84d2ed50_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e574d55.exeC:\Users\Admin\AppData\Local\Temp\e574d55.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e574f1a.exeC:\Users\Admin\AppData\Local\Temp\e574f1a.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e578b0a.exeC:\Users\Admin\AppData\Local\Temp\e578b0a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e574d55.exeFilesize
97KB
MD5fec4f783bd68280cc60aedb74e1a4481
SHA105a05fc98323e28d5bb5a2a194a05698911faaea
SHA256d2927b19d9a11f5998311d9a6a98c169dbed017cc197b5180f1cb6de99c2a526
SHA512f582543b4a3151b352e2f4fe300b69db0dd1329f5cf87e512edb8a6178cedb6cc85700eb29043bfe0c5d7673d177ca07513b73a5c1f2238c76162b8c523e3b72
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5b1584fa14735d1475e9223cf8aac515f
SHA111d619c157ef08f43df973f58c144eceecf49168
SHA256b036ae8e30b22eb90a0392750e4a09dbe5d284006e6f52eb75c7e76ab45226dd
SHA512a347a34293344e1a7e6e59abac6fd48b43c17ca14cb2ce97bd08abf29b89a50ed836df1ef9281c4addfe6fc016637a8828ac27b1a7ff0fbc303b4c15b0626d19
-
memory/1792-15-0x0000000003DD0000-0x0000000003DD1000-memory.dmpFilesize
4KB
-
memory/1792-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1792-51-0x0000000003D40000-0x0000000003D42000-memory.dmpFilesize
8KB
-
memory/1792-13-0x0000000003D40000-0x0000000003D42000-memory.dmpFilesize
8KB
-
memory/1792-14-0x0000000003D40000-0x0000000003D42000-memory.dmpFilesize
8KB
-
memory/1792-29-0x0000000003D40000-0x0000000003D42000-memory.dmpFilesize
8KB
-
memory/2008-76-0x00000000004D0000-0x00000000004D2000-memory.dmpFilesize
8KB
-
memory/2008-45-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-25-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-31-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-11-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-28-0x00000000004D0000-0x00000000004D2000-memory.dmpFilesize
8KB
-
memory/2008-26-0x00000000004D0000-0x00000000004D2000-memory.dmpFilesize
8KB
-
memory/2008-10-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-12-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-6-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-33-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-32-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-34-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-35-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-36-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2008-67-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-37-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-85-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2008-43-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-42-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-17-0x00000000005C0000-0x00000000005C1000-memory.dmpFilesize
4KB
-
memory/2008-46-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-9-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-55-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-61-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-62-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-64-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/2008-8-0x00000000007D0000-0x000000000188A000-memory.dmpFilesize
16.7MB
-
memory/4588-41-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4588-39-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4588-89-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4588-40-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/5004-103-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/5004-92-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/5004-94-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/5004-111-0x0000000000680000-0x0000000000682000-memory.dmpFilesize
8KB
-
memory/5004-110-0x0000000000690000-0x0000000000691000-memory.dmpFilesize
4KB
-
memory/5004-90-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/5004-93-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB
-
memory/5004-140-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5004-141-0x00000000008A0000-0x000000000195A000-memory.dmpFilesize
16.7MB